πŸ” Anonymous-only RFC 9728 PRM

orank's own fix text: "If anonymous-only is correct… consider publishing a minimal PRM that explicitly signals anonymous-only access." This stays honest β€” empty arrays are the truth, not stubs.

GET /.well-known/oauth-protected-resource
{
  "resource": "https://orchestkit.yonyon.ai",
  "authorization_servers": [],        ← no AS exists (truth)
  "scopes_supported": [],
  "bearer_methods_supported": [],     ← no bearer token ever read (truth)
  "resource_documentation": "https://orchestkit.yonyon.ai/auth.md",
  "resource_policy_uri": "https://orchestkit.yonyon.ai/api-policy.md"
}

still 404 by design: /.well-known/oauth-authorization-server β€” RFC 8414 metadata
for a nonexistent authorization server would be a lie.
still forfeited: WWW-Authenticate 401 hint β€” a public API returning 401s would be a lie.

auth.md updated: Discover rewritten around the PRM, live sample payloads, registration walkthrough declared N/A by design, anonymous = sole identity type. Targets: oauth-protected-resource (+2), walkthrough (+2), agent-auth-discovery (partial of 3), auth-md-structure (+1).